INTRODUCTION

I don't like compliance. The very word is jarring, implying control of someone over another. I remember when I first came across the organisational structure and function of compliance. I have worked in some exciting areas, including crisis response, counter-terrorism, and political risk. I loved that work. I didn't realise it then, but it's all about people and why we do what we do. I moved from that job to one in investigations, which included conducting due diligence on the prospective clients of prominent investment banks. Due diligence - know your customer - is snooping into someone's background. Our job was to ensure the bank wasn't onboarding clients with more skeletons in their closet than a medical training aid factory.

When we delivered our reports, it became apparent that the focus was another acronym: CYA = cover your ass/arse. All too often, organisations term this butt-bashfulness, compliance. I remember sitting on a call with a few bankers and my Russia analyst colleague. We'd found strong evidence that a serving public official almost certainly owned a prospective business they wished to finance through offshore holdings. Officials should not hold non-disclosed commercial interests, generally. The bankers asked if we had documentary proof of the shareholding. The complex ownership structure quickly left Russia for sunny offshore jurisdictions with ironclad secrecy. We did not. Our evidence followed testimony from former and existing employees. They confirmed that the official owned the business; he had an office with a dialysis machine (to cleanse his blood of all the cocaine). This official also had significant alcohol and drug abuse issues, which had resulted in his killing or maiming people (multiple occasions) while driving under the influence. The bankers asked us if the deaths had led to prosecutions. We confirmed they had not, as he'd bribed the police and judiciary. They countered by requesting documentary evidence of that bribery (our evidence was circumstantial but corroborated by multiple sources). Obtaining physical proof of corruption is incredibly challenging, as you require access to (often offshore) accounts and surveillance, among other methods. The call concluded with the bankers saying, "Well, then, as we see it, you don't have physical proof of wrongdoing, so I think we can proceed."

Compliance is often obeying clearly defined rules or pretending to. In this example, it is legal if it's not proven criminal. Compliance can be the base level of morality in many situations.

Why, therefore, am I writing a book covering topics that would be classed (by many) as compliance? Because I care about risk, and more specifically, helping people make ethically minded and risk-based decisions. I want to make integrity risk-relevant - all risks an organisation might face with ethical components. This broad church - from corruption to human rights to discrimination - overlaps more than it digresses.

In 1973, Donald R. Cressey devised what is now known as Cressey's Fraud Triangle.1 Fraud, in this case, is defined so broadly as to cover most crimes that will occur in an organisation. The model posited that fraudulent acts were a function of opportunity, rationalisation, and pressure. Compliance, for many years, focused principally on the opportunity part, where systems and processes do not exist or are insufficient. For example, stealing from the cash register because there is no CCTV monitoring and balance checks are irregular or sloppy. It makes sense to focus on opportunity; it is a variable we (think we) can control.

In my experience over the past 20 (or so) years, an opportunity is seldom the main reason. This hunch is borne out in the survey data that the Association of Certified Fraud Examiners (ACFE) gather yearly in their Report to the Nations.2 Their report, surveying some of their 90,000 (and growing) members, who are focused on investigations, typically indicates that controls failure is the primary reason for violations in roughly a third of cases.

What's happening in the majority of cases? Well, that would be where pressure and rationalisation come into play. This human element is where I live and work. Pressure is a massive area we will unpack in some detail, but another word for it that may resonate more is motive. That's what makes us cut corners, do things we should not, and often compromise our ethics for the benefit of our employer. Understanding why we make the decisions we do and the cultural, situational, and psychological reasons for ethical and compliance failures is, I believe, the key to better organisational ethics and behaviour.

It is that mission that keeps me motivated. Why? Because I've spent most of my career working in emerging markets. I don't see corruption theoretically; I see it as nineteenth-century illnesses stemming from unsafe water. The contractor who built the water pipes was unqualified (bribed to win the bid), and the subsequent pipe-laying overlapped with sewage systems. I don't see the money laundering pithily portrayed in high-budget TV series. I see North Korea funding brutal oppression, using banks in barely regulated nations to wash gambling and criminally acquired cash. I don't see human rights issues; I see logistics drivers in Myanmar forced to act as minesweepers at gunpoint. I don't see environmental violations; I see death after shoddily constructed hydropower projects collapse.

I am labouring the point intentionally. I don't relate to violations on paper; I see them experientially - and I haven't even got into human and wildlife trafficking. Compliance violations are not financial, white-collar, economic crime, or any other distancing language. They are crimes, infecting entire nations and robbing billions of people of fundamental rights. Corruption is the common denominator in almost all these issues - it is the how enabling almost all violations and deserves particular attention.

Maybe, therefore, we need to rethink integrity risk and compliance. That starts with honesty.

Why Now?

Organisational ethics is getting better, isn't it? Looking at whatever feeds you rely on for information will reveal the latest corporate, organisational, or governmental misdeed headlines. We could debate whether that is a function of unethical activity levels or increased societal and journalistic vigilance, but that misses the point. It happens a lot, and we claim we want that to change.

I recently typed "business ethics" into Google and got 380,000,000 results. "Business corruption", a much clunkier phrase, generated 294,000,000 results. Acknowledging that Google - and its results - are not an academic analysis of all public discourse on the topics, that's a rough 56/44% split. If I said to you that 44% of businesses were corrupt, would you agree? Possibly not. So how many are? 30%, 20%, or 5%?

In more relatable terms, 5% of global Gross Domestic Product (GDP) represents an economy the size of Japan or Germany. Big.

I am not guesstimating that a certain percentage of organisations are all bad; I am saying the issue is significant. Any group is an aggregation of people with our collective flaws and limitations. We evolve (hopefully) and learn from our mistakes, creating more tolerant, transparent, and equitable societies. The entities and agencies who employ, serve, and supply us are also learning, but it's not easy. Where do you start?

I don't mind where you start; the journey and destination matter more. We are at an inflection point in many post-industrial economies, where environmental, social, and integrity concerns impact consumer, stakeholder, and employee actions and decisions. In the past few decades, I've seen a trickle (of genuine concern about ethics) turn into a steady stream. The natural inclination for many is to write more policies and create more controls. I prefer to treat people like adults and empower them to make better decisions.

Who Is This Book For?

This book is for those trying to do the right thing, usually with insufficient data, limited resources, and often with recalcitrant or hostile stakeholders. Just because you say no to corruption doesn't mean the local politician won't stick their hand out. It's where honest intention meets risk reality that I focus. I've spent most of my career operating in places where the demand side of risk remains pervasive and robust. It's hard to do the right thing when the decks are stacked; the political framework is inept or corrupt, the judiciary biased and bribed; and competitors don't share your values. That's the bad news. The good news is you're not alone.

I remember the turning point in my career vividly. I was working with a construction and mining firm that had uncovered the potential bribing of public officials in one of their subsidiaries. I was part of a team tasked with interviewing, assessing the risk, and training other subsidiaries. We were running a workshop in Manila. On entering the conference room, I saw a depressingly familiar sight, many large, burly white men with thick gold bracelets and necklaces, arms folded, leaning back, looking hostile. We weren't five minutes into discussing corruption risks when we got the first, "It's how things are done in The Philippines." More came once the one person had opened the floodgates of sweeping national assumptions. Terms like "these people" and...